Privacy Policy

IslandSpots (operating as "IslandSpots", "we", "us", or "our") is an online platform that connects travellers with local activity operators on the Canary Islands and beyond. We are headquartered in the Netherlands and operate as a data controller under the General Data Protection Regulation (GDPR).

We collect only the information you give us and what is necessary to provide our service:

• Account information — When you sign up as an operator, we collect your name, email address, business name, phone number, website URL, and payment information (processed by Stripe).
• Authentication data — If you sign in with Google, we receive your email address and profile name from Google. We never store your Google password.
• Usage information — We track click-through rates on operator listings to provide monthly reports. This is aggregated and does not identify individual visitors.
• Communications — If you contact us via email or through the platform, we keep a record of those communications to provide support.
• Payment data — All payment processing is handled by Stripe, Inc. We never store full credit card numbers on our servers. Stripe's privacy policy applies to data they process on our behalf.

• To create and maintain your operator account and profile
• To process subscription payments and manage billing
• To send you monthly click reports and account notifications
• To display your business listing on the platform (business name, phone, website)
• To respond to your support requests and communications
• To improve our platform based on aggregated usage patterns
• To comply with legal obligations and enforce our Terms of Service

We never sell your personal data to third parties. We never use your data for advertising profiling. We never share your data with third parties for their own marketing purposes.

Under the General Data Protection Regulation, we process your personal data on the following lawful bases:

• Contractual necessity — Processing required to create and maintain your account, process payments, and deliver our services.
• Legitimate interests — Analytics to improve our platform, fraud prevention, and direct communications about your account.
• Consent — Where you have explicitly consented, such as when you choose to sign up for email reports.
• Legal obligation — Where we are required by law to retain or disclose information.

You have the right to withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.

We use minimal cookies necessary for the operation of the platform:

• Authentication cookies — Required to keep you logged in as an operator.
• Session cookies — Used to maintain your session state while using the dashboard.
• Stripe cookies — Set by Stripe for payment processing. These are third-party cookies governed by Stripe's privacy policy.

We do not use tracking cookies, analytics cookies, or advertising cookies. We do not use fingerprinting or any other covert tracking techniques. You can configure your browser to reject cookies, but this may prevent the platform from functioning correctly.

• Account data — Retained for the duration of your operator subscription plus 12 months after cancellation to allow for reinstatement.
• Financial records — Retained for 7 years as required by tax law (EU VAT Directive).
• Usage analytics — Aggregated and anonymised after 24 months.
• Communications — Retained for 3 years after the last interaction.

You may request deletion of your account and personal data at any time by contacting us at the email address below. We will action deletion requests within 30 days, subject to legal retention requirements. To request deletion of your data, please email us from the email address associated with your account.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access — Request a copy of the data we hold about you.
• Right to rectification — Correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — Request deletion of your data.
• Right to restrict processing — Limit how we use your data.
• Right to data portability — Receive your data in a machine-readable format.
• Right to object — Object to processing based on legitimate interests.
• Right to lodge a complaint — File a complaint with your local data protection authority (in the Netherlands: Autoriteit Persoonsgegevens).

To exercise any of these rights, or if you have questions about this policy, contact us at: Email: privacy@islandspots.io Address: IslandSpots, Amsterdam, Netherlands We will respond to all requests within 30 days. If we cannot honour your request, we will explain why. This policy was last updated on 15 June 2026. We will notify you of material changes via email and a notice on the platform.